Tag: Automation

At Threat Stack, we often talk about visibility. We have promoted visibility from an operations perspective and have given our customers visibility into their environments through our intrusion detection platform. But when it comes to change management, how do we give ourselves the same level of visibility into our internal process changes at Threat Stack? This became a very real question as we decided to roll out our Type 2 SOC 2 program over the last year, and the answer turned out to be sockembot — an automated SOC 2 compliance checking bot that we describe in this blog post.Read more “sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process”

Mean Time To Know (or MTTK for short) is one of the most important metrics in security operations. It measures how efficient the security team is at detecting real threats. The shorter it is, the sooner you will catch an attack in progress and be able to put a stop to it, reducing the negative consequences for your organization.

But the reality is, it’s not so easy to reduce MTTK. For starters, security teams are barraged with alerts on a daily basis, requiring manual work to sift through the noise to find a signal that indicates a real issue. Add on all the other tasks that need to be done aside from alert investigations, and it’s seemingly impossible to get ahead.

This is where automation comes in. Automation not only eliminates the need to manually handle tedious tasks (like alert response). It also helps you to optimize your existing resources, empowering them to actually focus on MTTK and get it under control.

Many organizations have limited resources (time, personnel, and money) for IT, and oftentimes only a small portion of that is devoted to security. Given the limited resources available to create and execute a best practice security plan, you will need to face up to these constraints and prioritize security tasks.

One of the great things about the cloud is the ability for companies to grow and shrink their infrastructure elastically to meet varying levels of demand. What many people don’t think about is how to secure this sprawl of cloud compute instances. As new systems are deployed, how do you enforce a policy on them? How do you look for anomalous behavior when an instance hasn’t been up long enough to determine a baseline?

Cloud Sight has solved this problem from day 1 with our policy framework. Our policies encompass all attributes of an instance’s security posture: alert rules, file integrity rules, firewall rules, so many rules! But also, each policy has a unique, learned behavioral model associated with it. For example, an Apache web server process doesn’t usually fork /bin/sh. When our agent is activated, the instance’s baseline is already established from its peers which enables us to immediately start monitoring for anomalies.